Cryptography the .NET Way

The .NET Framework classes for cryptography don't require you to become an expert mathematician or a cryptography guru. You'll find symmetric and asymmetric cryptographic providers as well as hash providers. Some of these provider classes end up calling into the unmanaged CryptoAPI library while other parts of the .NET cryptography solution are purely managed code.

by Dino Esposito

Aug 7, 2003

Page 1 of 5

rior to the .NET Framework, programming encryption was sort of an obstacle race. You first had to find the right algorithm, then set up the key, and finally struggle with the programming interface of the library. With the .NET Framework, doing encryption is no longer a cryptic task. Simple and well-designed classes let you tackle symmetric, asymmetric, and hash algorithms.
Cryptography is as ancient as the world is. Have you heard about the ingenious tricks performed by Roman commanders such as Julius Caesar and Augustus to send orders to detached troops? They scrambled their messages by mapping letters in the alphabet with another letter by a fixed number of positions. This number was the actual key to decode the message. In particular, Caesar used to shift letters by 3 positions (A becomes D and Z becomes C), whereas Augustus preferred to shift by 1. Caesar's cipher book probably was the predecessor of today's public key encryption algorithms. A good set of cryptographic tools is vital in many sectors of the software industry. Cryptography protects the confidentiality of the data being exchanged, but it also prevents attacks that a sniffer could plan once he or she knows internal aspects of the system. Using cryptography you can make connections safer as your code enables reliable and secure user authentication.

Cryptography itself is not that difficult to work with, but it can have an overly complex API. Since in many real-world scenarios you can't just do without encryption, the more a software platform supports you with easy-to-use tools, the better. A good measure to evaluate such tools is the level of expertise in the cryptographic science they assume. In the .NET Framework, cryptographic services have been designed to smooth difficulties quite a bit. As a result, using cryptographic providers and encryption classes is not harder than using, say, XML readers or ADO.NET data relations.
In this article I'll take you on a whistle-stop tour of cryptography in the .NET Framework. I'll discuss symmetric and asymmetric algorithms as well as hashing techniques. After that, I'll show you practical implementations of encryption and hashing on disk files and streams. Using encryption in Web applications is nearly identical to using it in Windows applications. The final part of this article discusses how the ASP.NET infrastructure makes use of encryption internally.

Cryptography Overview
Cryptography is the science (or is it better described as an art?) that encrypts information so that it looks completely different from the originalscrambled and camouflaged. Cryptography must be a two-way and lossless channel. In other words, there must be a way for a user to decrypt the encrypted information and regain the original information. Only one user should be able to perform this taskthe user who holds the key used to encrypt. Generations of scientists and mathematicians and even hobbyists have worked hard to come up with effective techniques to define keys and generate algorithms.

Hash values represent an effective way to verify the integrity of the data being received over a potentially insecure channel.

Cryptography serves three main purposes: confidentiality, data integrity, and authentication. Confidentiality means that data is scrambled and hidden from ill-intentioned, or simply too curious, eyes. Data integrity prevents tampering with the data, whereas authentication consists in verifying the identity of the sender to ensure that he or she is exactly who they say that they are.

Symmetric algorithms perform a transformation on data, camouflaging its real contents. In doing so, it employs a single secret key to both encrypt and decrypt data. Each individual who gets the key can decrypt any file encrypted with the same key.

Asymmetric algorithms use a pair of keys, known as public/private keys. Anyone can use a public key to encrypt data. Only a particular private key, though, can decrypt that content. To set up a public key encryption, you must use a pair of public and private keys that are mathematically linked. Once you obtain a pair of keys, you keep the private key for yourself and distribute the public key to anyone that needs to send data to you. The algorithm is said to be asymmetric because two different keys are involvedone to encrypt and one to decrypt.

A digital signature is designed to ensure that any received data originates from a specific user. A digital signature is a block of data that is unique to a party.

People often use hash functions to digitally sign documents. A hash function creates a fixed-length array of bytes given a block of data of any length. More importantly, the hash code generated is mathematically guaranteed to be random and unique and not particularly affine to the data. Put another way, two nearly identical streams of data generate radically different hash codes.